Bug 243686 - mail/opensmtpd: Update to v6.6.2p1 (Fixes critical LPE / RCE vulnerability)
Summary: mail/opensmtpd: Update to v6.6.2p1 (Fixes critical LPE / RCE vulnerability)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Dima Panov
URL:
Keywords: needs-patch, security
Depends on:
Blocks:
 
Reported: 2020-01-28 22:53 UTC by pete
Modified: 2020-01-31 09:39 UTC (History)
2 users (show)

See Also:
koobs: merge-quarterly?


Attachments
update to v6.6.2p1 (842 bytes, patch)
2020-01-29 00:11 UTC, pete
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description pete 2020-01-28 22:53:29 UTC
Here is the heads-up:
https://www.mail-archive.com/misc@opensmtpd.org/msg04850.html

I am working on updating locally and will submit patch when I have it working unless others beat me to it.  Sounds like critical issue.
Comment 1 pete 2020-01-29 00:11:41 UTC
Created attachment 211145 [details]
update to v6.6.2p1

I've built and tested this locally on my 12.1-RELEASE system and verified my configuration is working (able to send/receive emails).
Comment 2 commit-hook freebsd_committer 2020-01-29 02:56:00 UTC
A commit references this bug:

Author: fluffy
Date: Wed Jan 29 02:55:06 UTC 2020
New revision: 524529
URL: https://svnweb.freebsd.org/changeset/ports/524529

Log:
  mil/opensmtpd: update to 6.6.2p1 relase

  This update addressed LPE and RCE vulnerabilities in OpenSMTPD (CVE-2020-7247)
  https://www.openwall.com/lists/oss-security/2020/01/28/3

  This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch
  smtpd to new grammar") and allows an attacker to execute arbitrary shell
  commands, as root:

  - either locally, in OpenSMTPD's default configuration (which listens on
    the loopback interface and only accepts mail from localhost);

  - or locally and remotely, in OpenSMTPD's "uncommented" default
    configuration (which listens on all interfaces and accepts external
    mail).

  PR:		243686
  Reported by:	authors via irc
  MFH:		2020Q1
  Relnotes:	https://www.mail-archive.com/misc@opensmtpd.org/msg04850.html

Changes:
  head/mail/opensmtpd/Makefile
  head/mail/opensmtpd/distinfo
Comment 3 Dima Panov freebsd_committer 2020-01-29 02:57:34 UTC
Committed, thanks!
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2020-01-29 03:09:13 UTC
^Triage: Re-open pending MFH

@Dina Do you have a VuXML entry coming for this?
Comment 5 Dima Panov freebsd_committer 2020-01-29 05:36:08 UTC
(In reply to Kubilay Kocak from comment #4)
Not yet, busy IRL till evening :( if you can do it faster, ship it!
Comment 6 commit-hook freebsd_committer 2020-01-30 06:25:52 UTC
A commit references this bug:

Author: fluffy
Date: Thu Jan 30 06:25:48 UTC 2020
New revision: 524633
URL: https://svnweb.freebsd.org/changeset/ports/524633

Log:
  Document mail/opensmtpd LPE and RCE vulnerabilities

  PR:		243686
  Security:	CVE-2020-7247

Changes:
  head/security/vuxml/vuln.xml
Comment 7 commit-hook freebsd_committer 2020-01-31 09:37:48 UTC
A commit references this bug:

Author: fluffy
Date: Fri Jan 31 09:37:28 UTC 2020
New revision: 524685
URL: https://svnweb.freebsd.org/changeset/ports/524685

Log:
  MFH: r524529

  mail/opensmtpd: update to 6.6.2p1 relase

  This update addressed LPE and RCE vulnerabilities in OpenSMTPD (CVE-2020-7247)
  https://www.openwall.com/lists/oss-security/2020/01/28/3

  This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch
  smtpd to new grammar") and allows an attacker to execute arbitrary shell
  commands, as root:

  - either locally, in OpenSMTPD's default configuration (which listens on
    the loopback interface and only accepts mail from localhost);

  - or locally and remotely, in OpenSMTPD's "uncommented" default
    configuration (which listens on all interfaces and accepts external
    mail).

  PR:		243686
  Reported by:	authors via irc
  Relnotes:	https://www.mail-archive.com/misc@opensmtpd.org/msg04850.html
  Security:	CVE-2020-7247
  Security:	08f5c27d-4326-11ea-af8b-00155d0a0200

  Approved by:	ports-secteam (blanket, security issue)

Changes:
_U  branches/2020Q1/
  branches/2020Q1/mail/opensmtpd/Makefile
  branches/2020Q1/mail/opensmtpd/distinfo
Comment 8 Dima Panov freebsd_committer 2020-01-31 09:39:57 UTC
Merged to quarterly, listed in vuxml